Attack Detection and Response with 
Linux Firewalls 

Michael Rash 

Security Architect 

Enterasys Networks, Inc. 

http://www.cipherdyne.org/ 

03/25/2007 
ShmooCon, 2007 

Copyright (C) 2007 Michael Rash 1 



Agenda 



Why use iptables to detect attacks? 
Types of attacks that can be detected 

- Snort rules language emulation via iptables logs 
and string match extension 

psad and fwsnort (http://www.cipherdyne.org/) 
Honeynet iptables log data visualizations 

- psad + AfterGlow 
Live Demo 
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Supplementing IDS Infrastructure? 

• Snort and commercial IDS infrastructure is mature (subject 
to usual concerns around false positives), but why stop 
there? 

• IDS's can themselves be targeted, both from the detection 
and code execution standpoints 

- Modified Stick/Snot to send faked attacks over Tor 

- Snort DCE/RPC Preprocessor vulnerability 

• Defense-in-depth is important 

• Host fragment reassembly issues less of a concern for 
iptables string matching (more on this later) 
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Major IDS Functionality We Need 

Signature based packet inspection 

- packet headers 

- application layer data 

Network and transport layer reassembly* 

- Ideally, reassembly algorithms would be identical to 
target host 

Reporting 

Ability to respond to attacks (optional) 
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Snort Signature Language 

Widely accepted and deployed IDS language 

Updated signatures readily available; 
http://www.bleedingsnort.com (BSD-licensed) 

Vulnerability announcement services (iDefense, 
Endeavor Security) provide signatures in Snort 
format 

Defines a good direction for iptables emulation 
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IDS and iptables 

Can specify granular packet header tests, and 
logging format contains nearly all interesting 
packet header fields 

Can match against connection states 

- Useful for mitigating Stick/Snot style attacks 

String matching in the kernel started in the 2.4 
days (patch applied via Netfilter patch-o-matic); 
made available again in 2.6.14 
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IDS and iptables (cont'd) 

Kernel textsearch (linux/lib/ts_*) infrastructure 
- Boyer-Moore and Knuth-Morris-Pratt algorithms 

String matching enabled by default in recent Linux 
kernels 

You get network layer defragmentation for free when 
connection tracking is used - you don't have to rely on 
proper configuration of frag3; it is the defragmentation 
algorithm of the host 

String matching within the filter table happens after 
network defrag 
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Active Response / Intrusion 
Prevention 

Plenty of reasons A/OTto respond (false positives, 
possibility of attacker abuse, possibility of 
fingerprinting the response mechanism) 

However: 

- Can envision scenarios where controlling the shape of application layer 
data that can talk to local sockets is a good thing - iptables can enforce 
the DROP target (this is prevention instead of just some weak 
response mechanism) 

- Some automated attacks do not bother with obfuscation/encryption - 
target rich environment 

- Sometimes it is not easy to patch a production server whose uptime 
must remain high (assuming a patch even exists) 
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fwsnort 

Translates Snort signatures into "equivalent" iptables 
rules using string match extension and Netfilter 
connection tracking subsystem 

All translated Snort signatures are placed within user- 
defined chains, to which packets are jumped from 
built-in chains (INPUT, OUTPUT, and FORWARD) 

Maintains strict separation from existing iptables policy 

Approximately 60% of all Snort-2.3.3 rules (remember 
this is an IDS supplement) can be translated 

Copyright (C) 2007 Michael Rash 9 



fwsnort (cont'd) 



Emulation of Snort config variables such as 
$HOME_NET and $EXTERNAL_NET 

Reporting via LOG target (integrates with psad) 

Whitelists via the RETURN target 

Blacklists via the DROP or REJECT targets 

Snort signature info stored with the iptables comment 
match in kernel-space (0.9.0 release) 

iptables is inline by definition; easy to configure 
fwsnort to use the DROP or REJECT targets 
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iptables Packet Flow 



USER 
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fwsnort Packet Flow 



FWSNORT_FORV 

(state match ESTABLISHED) 



FWSNORT FORWARD 



WHITELIST, non-ESTABLISHED, 
or completed fwsnort ruleset 
inspection 




FORWARD 



BLACKLIST packets as 
early as possible 



Incoming Packets [jumped immediately 
to the FWSNORT_FORWARD chain from 
the FORWARD chain) 



Outgoing 
Packets % 
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Example Snort Rule: nmap 
Execution via Web Server 



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
$HTTP_PORTS 



(msg:"WEB-ATTACKS nmap command attempt"; 
flow:to_server,established; content:"nmap%20"; nocase; 
classtype:web-application-attack; sid:1361 ; rev:5;) 



Copyright (C) 2007 Michael Rash 13 



fwsnort Translation 



$IPTABLES -A FWSNORT_FORWARD_ESTAB -d 
192.168.10.0/24 -p tcp — dport 80 -m string 
— string "nmap%20" — algo bm -m comment — 
comment "msg: WEB-ATTACKS nmap command 
attempt; classtype: web-application-attack; 
rev: 5; FWS:0.9.0;" -j LOG — log-tcp- 
options — log-prefix "[1] SID1361 ESTAB " 
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"BLEEDING-EDGE VIRUS" 
Signature (Multiple Content Fields) 



alert tcp $EXTERNAL_NET $HTTP_PORTS -> 
$HOME_NET any (msg: "BLEEDING-EDGE VIRUS 
Trojan-Spy.Win32.Bancos Download"; flow: 
established, from_server; content:"[AspackDie!]"; 
content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 1 1 
af af 45 c7 72 ac 5f 3138 d0|"; classtype: trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/ve 
nc/data/pwsteal.bancos.b.html; sid: 2001726; rev:6; ) 
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(translated) 



$IPTABLES -A FWSNORT_FORWARD_ESTAB -d 
192.168.10.0/24 -p tcp --sport 80 -m string --string 
"[AspackDie!]" --algo bm -m string --hex-string "|0f 6d 
07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 
ac 5f 3138 d0|" -algo bm -m comment -comment "msg: 
BLEEDING-EDGE VIRUS Trojan-Spy.Win32.Bancos 
Download; classtype: trojan-activity; reference: 
url,securityresponse.symantec.com/avcenter/venc/data/pw 
steal. bancos.b.html; rev: 6; FWS:0.9.0;" -j LOG -log-ip- 
options -log-tcp-options -log-prefix "[640] SID2001726 

ESTAB " 
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"Matrix 2.0 Server Access" 
Signature 



alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 
(msg:"BACKDOOR Matrix 2.0 Server access"; content:"| 
Ob ab ab ab 00 00 00 |logged in"; reference:arachnids,83; 
classtype:misc-activity; sid:162; rev:4;) 
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(translated) 



$IPTABLES -A FWSNORT_FORWARD -d 
192.168.10.0/24 -p udp — sport 3345 — dport 
3344 -m string — hex-string " | Ob ab ab ab 
00 00 00 | logged in" --algo bm -m comment 
— comment M msg: BACKDOOR Matrix 2.0 Server 
access; classtype: misc-activity; 
reference: arachnids, 83 ; rev: 4; 
FWS: 0.9.0;" -j LOG — log-ip-options — log- 
prefix "[46] SID162 " 
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"IPSec PGPNet Connection 
Attempt" Signature 



alert udp $EXTERNAL_NET any -> $HOME_NET 500 
(msg:"POLICY IPSec PGPNet connection attempt"; 
content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 
10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 
01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 
00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 
80 OB 00 01 00 OC 00 04 00 01 |Q|80 00 00 00 24 02 01 00 
00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 
OB 00 01 00 OC 00 04 00 01 |Q|80 00 00 00 1 0|"; 
classtype:protocol-command-decode; sid:1771 ; rev:6;) 
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(translated) 



$IPTABLES -A FWSNORT_FORWARD -d 192.168.10.0/24 
-p udp — dport 500 -m string — hex-string " | 00 
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comment — comment "msg: POLICY IPSec PGPNet 
connection attempt; classtype: protocol- 
command-decode; rev: 6; FWS: 0.9.0;" -j LOG — 
log-ip-options — log-prefix "[1005] SID1771 " 
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Supported Snort Rule Options 



All Snort rule header 


• itype 


options 


• icode 


content 


• ttl (ttl match) 


flow (conntrack) 


• tos (tos match) 


flags 


• ipopts 


offset 


• ip_proto 


depth 


• resp 


dsize (length match) 
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Unsupported Snort Rule Options: 
Lost in Translation 

• pcre 

• flowbits 

• bytejest <-- u32 module (need a 2.6 port) 

• bytejump <-- u32 module (need a 2.6 port) 

• asnl 

• window <-- included in iptables logs 

• isdataat 

• id <-- included in iptables logs 
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Unsupported Snort Rule Options 

(cont'd) 

• icmp_id <-- included in iptables logs 

• icmp_seq <-- included in iptables logs 

• seq <-- included with -log-tcp-sequence 

• ack <-- included with --log-tcp-sequence 

• sameip <-- included in iptables logs 

• There are a few others - those that are logged 
can be analyzed by psad 
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iptables TCP Log Message 



Mar 11 20:21:22 minastirith kernel: [199] 
SID1361 ESTAB IN=ethl OUT= 

MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08: 
00 SRC=192.168.10.3 DST=192 . 168 . 10 . 1 LEN=60 
TOS=0x00 PREC=0x00 TTL=63 ID=11112 DF 
PROTO=TCP SPT=2 8778 DPT=80 WINDOW=5840 
RES=0x00 ACK PSH URGP=0 OPT 
(0101080A02A041D2 0CC386B1) 
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iptables IP Header Coverage 



12 3 


4 5 6 7 


89012345 


6 7 8 


9 12 3 


45678901 


version 


IHL 


Type of Service 
(TOS=. PREC=) 


Total Length £LEN=) 


Identification (ID=) 


Flags 
CDF, MF) 


Fragment Offset (FRAG=) 


Time To Live (TTL=) 


Protocol CPROTO=) 


Header Checksum 


Source Address (SRC=) 


Destination Address CDST=) 


Options [OPT=, not decoded, requires -log-ip-options) 


Padding 
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iptables TCP Header Coverage 



01234567890123456789012345678901 



Source Port (SPT=) 



Destination Port £DPT=) 



Sequence Number [SEQ=, requires --log-:cp-sequence) 



Acknowledgement Number [ACK=, requires -log-tcp-sequence) 



Data Offset 



Reserved 
£RES=) 



ECN 
CCWR,..) 



Flags CSYN, etc.) 



Window (WINDOW=) 



Checksum 



Urgent Pointer tURGP=) 



Options (OPT=, not decoded, requires -log-tcp-options) 
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iptables UDP Log Message 



Mar 11 20:50:54 minastirith kernel: [153] 
SID2001597 IN=ethO OUT= 

MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08: 
00 SRC=192.168.10.3 DST=192 . 168 . 10 . 1 LEN=40 
TOS=0x00 PREC=0x00 TTL=63 ID=29758 DF 
PROTO=UDP SPT=32046 DPT=61 LEN=20 
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iptables UDP Header Coverage 



01234567890123456789012345678901 



Source Port (SPT=) 


Destination Port (DPT=) 


Length (LEN=) 


Checksum 
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iptables ICMP Log Message 



Mar 11 20:57:18 minastirith kernel: [98] 
SID2003294 IN=ethO OUT= 

MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08: 
00 SRC=192.168.10.3 DST=192 . 168. 10 . 1 
LEN=128 TOS=0x00 PREC=0x00 TTL=63 ID=53466 
PROTO=ICMP TYPE=8 CODE=0 ID=2 7459 SEQ=0 
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iptables ICMP Header Coverage 






12 3 4 5 6 7 


89012345 


6789012345S78901 


Type OYPE=) 


Code CCODE=) 


Checksum 


DATA ::: (depends on Type and Code and is variable length - logged to some extent) 
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psad 

iptables log analyzer 

Email and syslog reporting 

Fwsnort integration 

Dshield integration 

iptables LOG visualization with AfterGlow 

Built-in passive OS fingerprinting derived from pOf 
(requires -log-tcp-options) 

IP options decoding (requires -log-ip-options) 
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psad (cont'd) 



Can detect Snort signatures that do not require 
application layer tests (source routing attempts, low ttl 
values, ICMP source quench, Nachi worm, etc.). This 
is all possible by virtue of iptables LOG format 
completeness. 

Detection of many port scan types generated by Nmap 

Timeout-based auto-blocking (optional, and can be 
restricted to application layer matches with fwsnort) 

Whitelists/Blacklists 
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Honeynet Scan Challenge #34 

Challenge summary: 

- Challenge information and analysis can be found 
here: http://www.honeynet.org/scans/scan34/ 

- Honeynet systems were compromised 

- Both Snort and iptables log data made available to 
the community (39MB of iptables data) 

- Honeynet IP addresses sanitized to 1 1 .1 1 .x.x 

- BTW, check out http://www.secviz.org 
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Honeynet Visualizations: 
Compromised Hosts 

Look for outbound connections from honeynet 
hosts: 



# psad — CSV -m iptablessyslog — CSV-fields 
"src:11.11.79.0/24 dst dp" | perl 
afterglow.pl -c color .properties | neato 
-Tgif -o outbound connections.gif 
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Nachi Worm Visualization 

Look for 92-byte ICMP echo requests 



# psad — CSV -m iptablessyslog — CSV-fields 
"src dst ip_len:92" — CSV-max 300 — CSV-regex 
"PROTO=ICMP.*TYPE=8" | perl afterglow.pl -c 
color .properties | neato -Tgif -o 
nachi worm.gif 
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Honeynet Project Requests 

If providing iptables log data, please: 

- Use -log-ip-options 

- Use --log-tcp-sequence 

- Use --log-tcp-options 

- More attacks can be detected, and operating 
systems can be passively fingerprinted 

Copyright (C) 2007 Michael Rash 38 



Live Demo. 
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Questions? 



http://www.cipherdyne.org/ 
mbr@cipherdyne.org 
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